Merge ~rafaeldtinoco/ubuntu/+source/bind9:eoan-bind9-merge into ubuntu/+source/bind9:debian/sid

Proposed by Rafael David Tinoco on 2019-06-18
Status: Merged
Approved by: Andreas Hasenack on 2019-06-21
Approved revision: d706ee7da510fd14f5bd4d2333a9cda34b361ac2
Merge reported by: Andreas Hasenack
Merged at revision: ffb2ffe8365e6fc8b96abaaf570b0ec7a87814a3
Proposed branch: ~rafaeldtinoco/ubuntu/+source/bind9:eoan-bind9-merge
Merge into: ubuntu/+source/bind9:debian/sid
Diff against target: 972 lines (+666/-83)
11 files modified
debian/bind9.install (+0/-2)
debian/changelog (+549/-0)
debian/control (+2/-5)
debian/dnsutils.install (+0/-2)
debian/libdns1104.symbols (+0/-66)
debian/patches/CVE-2019-6471.patch (+44/-0)
debian/patches/enable-udp-in-host-command.diff (+26/-0)
debian/patches/fix-shutdown-race.diff (+41/-0)
debian/patches/series (+3/-0)
debian/rules (+1/-4)
debian/tests/simpletest (+0/-4)
Reviewer Review Type Date Requested Status
Bryce Harrington 2019-06-18 Approve on 2019-06-21
Andreas Hasenack 2019-06-18 Approve on 2019-06-21
Canonical Server Team 2019-06-21 Pending
Canonical Server packageset reviewers 2019-06-19 Pending
Review via email: mp+369002@code.launchpad.net

Description of the change

Simple merge from Debian without Ubuntu delta.

PPA for testing:

https://launchpad.net/~rafaeldtinoco/+archive/ubuntu/bindmerge

Will run DEP8 tests right after this request and inform if anything needs attention.

To post a comment you must log in.
Andreas Hasenack (ahasenack) wrote :

Did you manage to run the dep8 tests locally?

Rafael David Tinoco (rafaeldtinoco) wrote :

> Did you manage to run the dep8 tests locally?

Finishing this step, needed to fix my environment first, sorry for the delay.

Rafael David Tinoco (rafaeldtinoco) wrote :

All good here Andreas.

Bryce Harrington (bryce) wrote :

* Verified all items in Remaining Changes still present in debdiff
* Verified Maintainer
* No changes outside debian/
* In lxc tested installation, uninstallation, and purge
* Ran autopkgtests:
  - - - - - - - - - - results - - - - - - - - - -
  simpletest PASS
  autopkgtest [02:15:41]: @@@@@@@@@@@@@@@@@@@@ summary
  simpletest PASS

* Verified version matches what's in debian unstable, although newer version in debian new:
  bind9 | 1:9.11.5.P4+dfsg-5 | testing | source, amd64, ...
  bind9 | 1:9.11.5.P4+dfsg-5 | unstable | source, amd64, ...
  bind9 | 1:9.11.6+dfsg-1 | new | source, amd64

* I verified we have the CVEs mentioned for 9.11.6 and 9.11.7:

  9.11.6:
  - https://ftp.isc.org/isc/bind/9.11.6/RELEASE-NOTES-bind-9.11.6.html
  - CVE-2018-5740 √
  - CVE-2018-5738 √
  - CVE-2018-5745 √
  - CVE-2018-5744 √
  - CVE-2019-6465 √
  - https://ftp-master.debian.org/new/bind9_1:9.11.6+dfsg-1.html
  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923984

  9.11.7:
  - https://ftp.isc.org/isc/bind/9.11.7/RELEASE-NOTES-bind-9.11.7.html
  - Fixes CVE-2018-5743 √

  Debian's CVE status is here:
  - https://security-tracker.debian.org/tracker/source-package/bind9

* We're missing one CVE, that is provided in the latest upstream bind9:
  9.11.8:
  - https://ftp.isc.org/isc/bind/9.11.8/RELEASE-NOTES-bind-9.11.8.html
  - https://gitlab.isc.org/isc-projects/bind9/commit/7dfef18b05bd5ccd5b17f841212caf152b16c7d3
  - Fixes CVE-2019-6471

Aside from CVEs, I didn't look at what else is changed in the newer upstream versions, but .7 and .8 look fairly minor, and Debian has probably cherrypicked all the valuables from .6.

So, apart from the one outstanding CVE (which might be nice to include but perhaps ok to leave for followup), the package looks good, so I'll give it my +1.

review: Approve
Andreas Hasenack (ahasenack) wrote :

Ping #security to see if they have a patch ready for that for eoan. It was pushed to -security just a few days ago for other releases:
bind9 (1:9.11.3+dfsg-1ubuntu1.8) bionic-security; urgency=medium

  * SECURITY UPDATE: DoS via malformed packets
    - debian/patches/CVE-2019-6471.patch: fix race condition in
      lib/dns/dispatch.c.
    - CVE-2019-6471

 -- Marc Deslauriers <email address hidden> Tue, 18 Jun 2019 18:55:08 -0400

The secteam not always pushed it to the devel release, but they eventually take care of it. If the patch is ready, or maybe even if that one above can be cherry-picked, you could add it now on top of the merge.

Andreas Hasenack (ahasenack) wrote :

As discussed on IRC, this needs to be redone to accomodate the 4ubuntu2 upload done to eoan by security, which git-ubuntu just imported (it was stuck).
commit 81c24107e4969cc8dfb6ff3fe18b5a96cde0ddd8 (HEAD -> ubuntu/devel, pkg/ubuntu/devel)
Author: Marc Deslauriers <email address hidden>
Date: Thu Jun 20 08:15:00 2019 -0400

    Import patches-unapplied version 1:9.11.5.P4+dfsg-4ubuntu2 to ubuntu/eoan-proposed

    Imported using git-ubuntu import.

    Changelog parent: 0f045194cca300cc1dd6af415a6af848b65d6a3a

    New changelog entries:
      * SECURITY UPDATE: DoS via malformed packets
        - debian/patches/CVE-2019-6471.patch: fix race condition in
          lib/dns/dispatch.c.
        - CVE-2019-6471

review: Needs Fixing
9bb3c43... by Rafael David Tinoco on 2019-06-21

    - SECURITY UPDATE: DoS via malformed packets
      + d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c
      + CVE-2019-6471

cd288bd... by Rafael David Tinoco on 2019-06-21

merge-changelogs

ffb2ffe... by Rafael David Tinoco on 2019-06-21

update-maintainer

Rafael David Tinoco (rafaeldtinoco) wrote :

I believe I've done the split (for the CVE import) and merge (with Debian) correctly now. Could you please confirm ? I'm sending this to the PPA also.

Rafael David Tinoco (rafaeldtinoco) wrote :

I'm rebasing and pushing again since the reconstruct-changelog brought my signed-off together. Fixing this and repushing.

Rafael David Tinoco (rafaeldtinoco) wrote :

Done.

Andreas Hasenack (ahasenack) wrote :

Thanks, taking another look.

Andreas Hasenack (ahasenack) wrote :

- delta preserved, as shown via git range-diff rafaeldtinoco/old/debian..rafaeldtinoco/logical/1%9.11.5.P4+dfsg-4ubuntu2 rafaeldtinoco/new/debian..rafaeldtinoco/eoan-bind9-merge
- tags are correct (old/ubuntu, old/debian, new/debian, logical and split)
- changelog correct
- upgrade to ppa version works fine

+1

review: Approve
Bryce Harrington (bryce) wrote :

Inclusion of the CVE looks great.
Debdiff still looking good.

+1 to upload

review: Approve
Andreas Hasenack (ahasenack) wrote :

I'll sponsor this.

9296819... by Rafael David Tinoco on 2019-06-21

reconstruct-changelog

Andreas Hasenack (ahasenack) wrote :

Thanks for the indentation fix, sponsoring that.

Andreas Hasenack (ahasenack) wrote :

Tagged and uploaded:

$ git push pkg upload/1%9.11.5.P4+dfsg-5ubuntu1
Enumerating objects: 61, done.
Counting objects: 100% (61/61), done.
Delta compression using up to 2 threads
Compressing objects: 100% (23/23), done.
Writing objects: 100% (49/49), 11.73 KiB | 750.00 KiB/s, done.
Total 49 (delta 35), reused 35 (delta 26)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/bind9
 * [new tag] upload/1%9.11.5.P4+dfsg-5ubuntu1 -> upload/1%9.11.5.P4+dfsg-5ubuntu1

$ dput ubuntu ../bind9_9.11.5.P4+dfsg-5ubuntu1_source.changes
Checking signature on .changes
gpg: ../bind9_9.11.5.P4+dfsg-5ubuntu1_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../bind9_9.11.5.P4+dfsg-5ubuntu1.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading bind9_9.11.5.P4+dfsg-5ubuntu1.dsc: done.
  Uploading bind9_9.11.5.P4+dfsg.orig.tar.xz: done.
  Uploading bind9_9.11.5.P4+dfsg-5ubuntu1.debian.tar.xz: done.
  Uploading bind9_9.11.5.P4+dfsg-5ubuntu1_source.buildinfo: done.
  Uploading bind9_9.11.5.P4+dfsg-5ubuntu1_source.changes: done.
Successfully uploaded packages.

Andreas Hasenack (ahasenack) wrote :

This migrated.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/bind9.install b/debian/bind9.install
2index 26d595e..fd7f0f5 100644
3--- a/debian/bind9.install
4+++ b/debian/bind9.install
5@@ -16,7 +16,6 @@ usr/sbin/genrandom
6 usr/sbin/isc-hmac-fixup
7 usr/sbin/named
8 usr/sbin/named-journalprint
9-usr/sbin/named-nzd2nzf
10 usr/sbin/named-pkcs11
11 usr/sbin/nsec3hash
12 usr/sbin/tsig-keygen
13@@ -32,7 +31,6 @@ usr/share/man/man8/dnssec-importkey.8
14 usr/share/man/man8/genrandom.8
15 usr/share/man/man8/isc-hmac-fixup.8
16 usr/share/man/man8/named-journalprint.8
17-usr/share/man/man8/named-nzd2nzf.8
18 usr/share/man/man8/named.8
19 usr/share/man/man8/nsec3hash.8
20 usr/share/man/man8/tsig-keygen.8
21diff --git a/debian/changelog b/debian/changelog
22index caf5655..2492244 100644
23--- a/debian/changelog
24+++ b/debian/changelog
25@@ -1,3 +1,26 @@
26+bind9 (1:9.11.5.P4+dfsg-5ubuntu1) eoan; urgency=medium
27+
28+ * Merge with Debian unstable. Remaining changes:
29+ - Build without lmdb support as that package is in Universe
30+ - Don't build dnstap as it depends on universe packages:
31+ + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
32+ protobuf-c-compiler (universe packages)
33+ + d/dnsutils.install: don't install dnstap
34+ + d/libdns1104.symbols: don't include dnstap symbols
35+ + d/rules: don't build dnstap nor install dnstap.proto
36+ - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
37+ option (LP #1804648)
38+ - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
39+ close to a query timeout (LP #1797926)
40+ - d/t/simpletest: drop the internetsociety.org test as it requires
41+ network egress access that is not available in the Ubuntu autopkgtest
42+ farm.
43+ - SECURITY UPDATE: DoS via malformed packets
44+ + d/p/CVE-2019-6471.patch: fix race condition in lib/dns/dispatch.c
45+ + CVE-2019-6471
46+
47+ -- Rafael David Tinoco <rafaeldtinoco@ubuntu.com> Fri, 21 Jun 2019 18:06:22 +0000
48+
49 bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium
50
51 * AppArmor: Allow /var/tmp/krb5_* (owner-only) for Samba AD DLZ.
52@@ -5,6 +28,69 @@ bind9 (1:9.11.5.P4+dfsg-5) unstable; urgency=medium
53
54 -- Bernhard Schmidt <berni@debian.org> Fri, 03 May 2019 19:44:57 +0200
55
56+bind9 (1:9.11.5.P4+dfsg-4ubuntu2) eoan; urgency=medium
57+
58+ * SECURITY UPDATE: DoS via malformed packets
59+ - debian/patches/CVE-2019-6471.patch: fix race condition in
60+ lib/dns/dispatch.c.
61+ - CVE-2019-6471
62+
63+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Jun 2019 08:15:00 -0400
64+
65+bind9 (1:9.11.5.P4+dfsg-4ubuntu1) eoan; urgency=medium
66+
67+ * Merge with Debian unstable. Remaining changes:
68+ - Build without lmdb support as that package is in Universe
69+ - Don't build dnstap as it depends on universe packages:
70+ + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
71+ protobuf-c-compiler (universe packages)
72+ + d/dnsutils.install: don't install dnstap
73+ + d/libdns1104.symbols: don't include dnstap symbols
74+ + d/rules: don't build dnstap nor install dnstap.proto
75+ - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
76+ option (LP #1804648)
77+ - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
78+ close to a query timeout (LP #1797926)
79+ - d/t/simpletest: drop the internetsociety.org test as it requires
80+ network egress access that is not available in the Ubuntu autopkgtest
81+ farm.
82+ * Dropped:
83+ - SECURITY UPDATE: memory leak via specially crafted packet
84+ + debian/patches/CVE-2018-5744.patch: silently drop additional keytag
85+ options in bin/named/client.c.
86+ + CVE-2018-5744
87+ [Fixed upstream in 9.11.5-P2]
88+ - SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
89+ unsupported key algorithm when using managed-keys
90+ + debian/patches/CVE-2018-5745.patch: properly handle situations when
91+ the key tag cannot be computed in lib/dns/include/dst/dst.h,
92+ lib/dns/zone.c.
93+ + CVE-2018-5745
94+ [Fixed upstream in 9.11.5-P2]
95+ - SECURITY UPDATE: Controls for zone transfers may not be properly
96+ applied to Dynamically Loadable Zones (DLZs) if the zones are writable
97+ + debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
98+ the zone table as a DLZ zone bin/named/xfrout.c.
99+ + CVE-2019-6465
100+ [Fixed upstream in 9.11.5-P3]
101+ - SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
102+ + debian/patches/CVE-2018-5743.patch: add reference counting in
103+ bin/named/client.c, bin/named/include/named/client.h,
104+ bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c,
105+ lib/isc/include/isc/quota.h, lib/isc/quota.c,
106+ lib/isc/win32/libisc.def.in.
107+ + debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic
108+ operations with isc_refcount reference counting in
109+ bin/named/client.c, bin/named/include/named/interfacemgr.h,
110+ bin/named/interfacemgr.c.
111+ + debian/libisc1100.symbols: added new symbols.
112+ + CVE-2018-5743
113+ [Fixed in 1:9.11.5.P4+dfsg-4]
114+ - d/rules: add back EdDSA support (LP #1825712)
115+ [Fixed in 1:9.11.5.P4+dfsg-4]
116+
117+ -- Andreas Hasenack <andreas@canonical.com> Thu, 02 May 2019 13:35:59 -0300
118+
119 bind9 (1:9.11.5.P4+dfsg-4) unstable; urgency=medium
120
121 [ Bernhard Schmidt ]
122@@ -77,12 +163,114 @@ bind9 (1:9.11.5.P1+dfsg-2) unstable; urgency=medium
123
124 -- Bernhard Schmidt <berni@debian.org> Tue, 12 Feb 2019 00:34:21 +0100
125
126+bind9 (1:9.11.5.P1+dfsg-1ubuntu4) eoan; urgency=medium
127+
128+ * d/rules: add back EdDSA support (LP: #1825712)
129+
130+ -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Apr 2019 14:04:37 +0000
131+
132+bind9 (1:9.11.5.P1+dfsg-1ubuntu3) eoan; urgency=medium
133+
134+ * SECURITY UPDATE: limiting simultaneous TCP clients is ineffective
135+ - debian/patches/CVE-2018-5743.patch: add reference counting in
136+ bin/named/client.c, bin/named/include/named/client.h,
137+ bin/named/include/named/interfacemgr.h, bin/named/interfacemgr.c,
138+ lib/isc/include/isc/quota.h, lib/isc/quota.c,
139+ lib/isc/win32/libisc.def.in.
140+ - debian/patches/CVE-2018-5743-atomic-fix.patch: replace atomic
141+ operations with isc_refcount reference counting in
142+ bin/named/client.c, bin/named/include/named/interfacemgr.h,
143+ bin/named/interfacemgr.c.
144+ - debian/libisc1100.symbols: added new symbols.
145+ - CVE-2018-5743
146+
147+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 24 Apr 2019 05:00:07 -0400
148+
149+bind9 (1:9.11.5.P1+dfsg-1ubuntu2) disco; urgency=medium
150+
151+ * SECURITY UPDATE: memory leak via specially crafted packet
152+ - debian/patches/CVE-2018-5744.patch: silently drop additional keytag
153+ options in bin/named/client.c.
154+ - CVE-2018-5744
155+ * SECURITY UPDATE: assertion failure when a trust anchor rolls over to an
156+ unsupported key algorithm when using managed-keys
157+ - debian/patches/CVE-2018-5745.patch: properly handle situations when
158+ the key tag cannot be computed in lib/dns/include/dst/dst.h,
159+ lib/dns/zone.c.
160+ - CVE-2018-5745
161+ * SECURITY UPDATE: Controls for zone transfers may not be properly
162+ applied to Dynamically Loadable Zones (DLZs) if the zones are writable
163+ - debian/patches/CVE-2019-6465.patch: handle zone transfers marked in
164+ the zone table as a DLZ zone bin/named/xfrout.c.
165+ - CVE-2019-6465
166+
167+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 22 Feb 2019 10:52:30 +0100
168+
169+bind9 (1:9.11.5.P1+dfsg-1ubuntu1) disco; urgency=medium
170+
171+ * Merge with Debian unstable. Remaining changes:
172+ - Build without lmdb support as that package is in Universe
173+ - Don't build dnstap as it depends on universe packages:
174+ + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
175+ protobuf-c-compiler (universe packages)
176+ + d/dnsutils.install: don't install dnstap
177+ + d/libdns1104.symbols: don't include dnstap symbols
178+ + d/rules: don't build dnstap nor install dnstap.proto
179+ - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
180+ option (LP #1804648)
181+ - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
182+ close to a query timeout (LP #1797926)
183+ - d/t/simpletest: drop the internetsociety.org test as it requires
184+ network egress access that is not available in the Ubuntu autopkgtest
185+ farm.
186+
187+ -- Andreas Hasenack <andreas@canonical.com> Thu, 17 Jan 2019 18:59:25 -0200
188+
189 bind9 (1:9.11.5.P1+dfsg-1) unstable; urgency=medium
190
191 * New upstream version 9.11.5.P1+dfsg
192
193 -- Ondřej Surý <ondrej@debian.org> Tue, 18 Dec 2018 13:59:25 +0000
194
195+bind9 (1:9.11.5+dfsg-1ubuntu1) disco; urgency=medium
196+
197+ * Merge with Debian unstable. Remaining changes:
198+ - Build without lmdb support as that package is in Universe
199+ - Don't build dnstap as it depends on universe packages:
200+ + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
201+ protobuf-c-compiler (universe packages)
202+ + d/dnsutils.install: don't install dnstap
203+ + d/libdns1104.symbols: don't include dnstap symbols
204+ + d/rules: don't build dnstap nor install dnstap.proto
205+ * Dropped:
206+ - SECURITY UPDATE: denial of service crash when deny-answer-aliases
207+ option is used
208+ + debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could
209+ trigger a crash if deny-answer-aliases was set
210+ + debian/patches/CVE-2018-5740-2.patch: add tests
211+ + debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set
212+ chainingp correctly, add test
213+ + CVE-2018-5740
214+ [Fixed in new upstream version 9.11.5]
215+ - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the
216+ line (Closes: #904983)
217+ [Fixed in 1:9.11.4+dfsg-4]
218+ - Add a patch to fix named-pkcs11 crashing on startup. (LP #1769440)
219+ [Fixed in 1:9.11.4.P1+dfsg-1]
220+ - Cherrypick from debian: Add new dst__openssleddsa_init optional symbol
221+ (it depends on OpenSSL version) (Closes: #897643)
222+ [Fixed in 1:9.11.4.P1+dfsg-1]
223+ * Added:
224+ - d/p/enable-udp-in-host-command.diff: fix parsing of the -U command line
225+ option (LP: #1804648)
226+ - d/p/fix-shutdown-race.diff: dig/host/nslookup could crash when interrupted
227+ close to a query timeout (LP: #1797926)
228+ - d/t/simpletest: drop the internetsociety.org test as it requires
229+ network egress access that is not available in the Ubuntu autopkgtest
230+ farm.
231+
232+ -- Andreas Hasenack <andreas@canonical.com> Thu, 13 Dec 2018 19:40:23 -0200
233+
234 bind9 (1:9.11.5+dfsg-1) unstable; urgency=medium
235
236 * Use team+dns@tracker.debian.org as Maintainer address
237@@ -144,6 +332,55 @@ bind9 (1:9.11.4+dfsg-4) unstable; urgency=medium
238
239 -- Bernhard Schmidt <berni@debian.org> Mon, 30 Jul 2018 16:28:21 +0200
240
241+bind9 (1:9.11.4+dfsg-3ubuntu5) cosmic; urgency=high
242+
243+ * No change rebuild against openssl 1.1.1 with TLS 1.3 support.
244+
245+ -- Dimitri John Ledkov <xnox@ubuntu.com> Sat, 29 Sep 2018 01:36:45 +0100
246+
247+bind9 (1:9.11.4+dfsg-3ubuntu4) cosmic; urgency=medium
248+
249+ * SECURITY UPDATE: denial of service crash when deny-answer-aliases
250+ option is used
251+ - debian/patches/CVE-2018-5740-1.patch: explicit DNAME query could
252+ trigger a crash if deny-answer-aliases was set
253+ - debian/patches/CVE-2018-5740-2.patch: add tests
254+ - debian/patches/CVE-2018-5740-3.patch: caclulate nlabels and set
255+ chainingp correctly, add test
256+ - CVE-2018-5740
257+
258+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 20 Sep 2018 11:11:05 +0200
259+
260+bind9 (1:9.11.4+dfsg-3ubuntu3) cosmic; urgency=medium
261+
262+ * Cherrypick from debian: Add new dst__openssleddsa_init optional symbol
263+ (it depends on OpenSSL version) (Closes: #897643)
264+
265+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 18 Sep 2018 10:39:12 +0200
266+
267+bind9 (1:9.11.4+dfsg-3ubuntu2) cosmic; urgency=medium
268+
269+ * d/p/skip-rtld-deepbind-for-dyndb.diff: Add a patch to fix named-pkcs11
270+ crashing on startup. (LP: #1769440)
271+
272+ -- Karl Stenerud <karl.stenerud@canonical.com> Thu, 30 Aug 2018 07:11:39 -0700
273+
274+bind9 (1:9.11.4+dfsg-3ubuntu1) cosmic; urgency=medium
275+
276+ * Merge with Debian unstable. Remaining changes:
277+ - Build without lmdb support as that package is in Universe
278+ * Added:
279+ - Don't build dnstap as it depends on universe packages:
280+ + d/control: drop build-depends on libfstrm-dev, libprotobuf-c-dev and
281+ protobuf-c-compiler (universe packages)
282+ + d/dnsutils.install: don't install dnstap
283+ + d/libdns1102.symbols: don't include dnstap symbols
284+ + d/rules: don't build dnstap
285+ - d/extras/apparmor.d/usr.sbin.named: add missing comma at the end of the
286+ line (Closes: #904983)
287+
288+ -- Andreas Hasenack <andreas@canonical.com> Mon, 30 Jul 2018 10:56:04 -0300
289+
290 bind9 (1:9.11.4+dfsg-3) unstable; urgency=medium
291
292 * Enable IDN support for dig+host using libidn2 (Closes: #459010)
293@@ -174,6 +411,19 @@ bind9 (1:9.11.4+dfsg-1) unstable; urgency=medium
294
295 -- Ondřej Surý <ondrej@debian.org> Sat, 14 Jul 2018 12:27:56 +0000
296
297+bind9 (1:9.11.3+dfsg-2ubuntu1) cosmic; urgency=medium
298+
299+ * Merge with Debian unstable (LP: #1777935). Remaining changes:
300+ - Build without lmdb support as that package is in Universe
301+ * Drop:
302+ - SECURITY UPDATE: improperly permits recursive query service
303+ + debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
304+ in bin/named/server.c.
305+ + CVE-2018-5738
306+ [Applied in Debian's 1:9.11.3+dfsg-2]
307+
308+ -- Andreas Hasenack <andreas@canonical.com> Wed, 20 Jun 2018 17:42:16 -0300
309+
310 bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium
311
312 * [CVE-2018-5738]: Add upstream fix to close the default open recursion
313@@ -182,6 +432,24 @@ bind9 (1:9.11.3+dfsg-2) unstable; urgency=medium
314
315 -- Ondřej Surý <ondrej@debian.org> Thu, 14 Jun 2018 13:01:47 +0000
316
317+bind9 (1:9.11.3+dfsg-1ubuntu2) cosmic; urgency=medium
318+
319+ * SECURITY UPDATE: improperly permits recursive query service
320+ - debian/patches/CVE-2018-5738.patch: fix configure_view_acl() handling
321+ in bin/named/server.c.
322+ - CVE-2018-5738
323+
324+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 11 Jun 2018 09:41:51 -0400
325+
326+bind9 (1:9.11.3+dfsg-1ubuntu1) bionic; urgency=low
327+
328+ * New upstream release. (LP: #1763572)
329+ - fix a crash when configured with ipa-dns-install
330+ * Merge from Debian unstable. Remaining changes:
331+ - Build without lmdb support as that package is in Universe
332+
333+ -- Timo Aaltonen <tjaalton@debian.org> Fri, 13 Apr 2018 07:40:47 +0300
334+
335 bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
336
337 [ Bernhard Schmidt ]
338@@ -206,6 +474,61 @@ bind9 (1:9.11.3+dfsg-1) unstable; urgency=medium
339
340 -- Bernhard Schmidt <berni@debian.org> Fri, 23 Mar 2018 00:09:58 +0100
341
342+bind9 (1:9.11.2.P1-1ubuntu5) bionic; urgency=medium
343+
344+ * debian/patches/nsupdate-gssapi-fails-ad-45854.patch: fix updating
345+ DNS records in Microsoft AD using GSSAPI. Thanks to Mark Andrews
346+ <marka@isc.org>. (LP: #1755439)
347+
348+ -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Mar 2018 09:38:46 -0300
349+
350+bind9 (1:9.11.2.P1-1ubuntu4) bionic; urgency=medium
351+
352+ * Fix apparmor profile filename (LP: #1754981)
353+
354+ -- Andreas Hasenack <andreas@canonical.com> Thu, 15 Mar 2018 10:06:57 -0300
355+
356+bind9 (1:9.11.2.P1-1ubuntu3) bionic; urgency=high
357+
358+ * No change rebuild against openssl1.1.
359+
360+ -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 06 Feb 2018 12:14:22 +0000
361+
362+bind9 (1:9.11.2.P1-1ubuntu2) bionic; urgency=medium
363+
364+ * Build without lmdb support as that package is in Universe (LP: #1746296)
365+ - d/control: remove Build-Depends on liblmdb-dev
366+ - d/rules: configure --without-lmdb
367+ - d/bind9.install: drop named-nzd2nzf and named-nzd2nzf.8 as it requires
368+ lmdb.
369+
370+ -- Andreas Hasenack <andreas@canonical.com> Tue, 30 Jan 2018 15:21:23 -0200
371+
372+bind9 (1:9.11.2.P1-1ubuntu1) bionic; urgency=medium
373+
374+ * Merge with Debian unstable (LP: #1744930).
375+ * Drop:
376+ - Add RemainAfterExit to bind9-resolvconf unit configuration file
377+ (LP #1536181).
378+ [fixed in 1:9.10.6+dfsg-4]
379+ - rules: Fix path to libsofthsm2.so. (LP #1685780)
380+ [adopted in 1:9.10.6+dfsg-5]
381+ - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
382+ introduced with the CVE-2016-8864.patch and fixed in
383+ CVE-2016-8864-regression.patch.
384+ [applied upstream]
385+ - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
386+ regression (RT #44318) introduced with the CVE-2016-8864.patch
387+ and fixed in CVE-2016-8864-regression2.patch.
388+ [applied upstream]
389+ - d/control, d/rules: add json support for the statistics channels.
390+ (LP #1669193)
391+ [adopted in 1:9.10.6+dfsg-5]
392+ * d/p/add-ply-dependency-to-python-scripts.patch: setup.py is missing
393+ listing the python ply module as a dependency (Closes: #888463)
394+
395+ -- Andreas Hasenack <andreas@canonical.com> Fri, 26 Jan 2018 11:20:33 -0200
396+
397 bind9 (1:9.11.2.P1-1) unstable; urgency=medium
398
399 * New upstream version 9.11.2-P1
400@@ -381,6 +704,140 @@ bind9 (1:9.10.6+dfsg-1) unstable; urgency=medium
401
402 -- Ondřej Surý <ondrej@debian.org> Fri, 06 Oct 2017 06:18:21 +0000
403
404+bind9 (1:9.10.3.dfsg.P4-12.6ubuntu1) artful; urgency=medium
405+
406+ * Merge with Debian unstable (LP: #1712920). Remaining changes:
407+ - Add RemainAfterExit to bind9-resolvconf unit configuration file
408+ (LP #1536181).
409+ - rules: Fix path to libsofthsm2.so. (LP #1685780)
410+ - d/p/CVE-2016-8864-regression-test.patch: tests for the regression
411+ introduced with the CVE-2016-8864.patch and fixed in
412+ CVE-2016-8864-regression.patch.
413+ - d/p/CVE-2016-8864-regression2-test.patch: tests for the second
414+ regression (RT #44318) introduced with the CVE-2016-8864.patch
415+ and fixed in CVE-2016-8864-regression2.patch.
416+ - d/control, d/rules: add json support for the statistics channels.
417+ (LP #1669193)
418+
419+ -- Andreas Hasenack <andreas@canonical.com> Thu, 24 Aug 2017 18:28:00 -0300
420+
421+bind9 (1:9.10.3.dfsg.P4-12.6) unstable; urgency=medium
422+
423+ * Non-maintainer upload.
424+ * Import upcoming DNSSEC KSK-2017 from 9.10.5 (Closes: #860794)
425+
426+ -- Bernhard Schmidt <berni@debian.org> Fri, 11 Aug 2017 19:10:07 +0200
427+
428+bind9 (1:9.10.3.dfsg.P4-12.5ubuntu1) artful; urgency=medium
429+
430+ * Merge with Debian unstable (LP: #1701687). Remaining changes:
431+ - Add RemainAfterExit to bind9-resolvconf unit configuration file
432+ (LP #1536181).
433+ - rules: Fix path to libsofthsm2.so. (LP #1685780)
434+ * Drop:
435+ - SECURITY UPDATE: denial of service via assertion failure
436+ + debian/patches/CVE-2016-2776.patch: properly handle lengths in
437+ lib/dns/message.c.
438+ + CVE-2016-2776
439+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
440+ - SECURITY UPDATE: assertion failure via class mismatch
441+ + debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
442+ records in lib/dns/resolver.c.
443+ + CVE-2016-9131
444+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
445+ - SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
446+ + debian/patches/CVE-2016-9147.patch: fix logic when records are
447+ returned without the requested data in lib/dns/resolver.c.
448+ + CVE-2016-9147
449+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
450+ - SECURITY UPDATE: assertion failure via unusually-formed DS record
451+ + debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
452+ lib/dns/message.c, lib/dns/resolver.c.
453+ + CVE-2016-9444
454+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11]
455+ - SECURITY UPDATE: regression in CVE-2016-8864
456+ + debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
457+ responses in lib/dns/resolver.c, added tests to
458+ bin/tests/system/dname/ns2/example.db,
459+ bin/tests/system/dname/tests.sh.
460+ + No CVE number
461+ + [Fixed in Debian 1:9.10.3.dfsg.P4-11 and 1:9.10.3.dfsg.P4-12]
462+ - SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
463+ a NULL pointer
464+ + debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
465+ combination in bin/named/query.c, lib/dns/message.c,
466+ lib/dns/rdataset.c.
467+ + CVE-2017-3135
468+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
469+ - SECURITY UPDATE: regression in CVE-2016-8864
470+ + debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
471+ was still being cached when it should have been in lib/dns/resolver.c,
472+ added tests to bin/tests/system/dname/ans3/ans.pl,
473+ bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
474+ + No CVE number
475+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12]
476+ - SECURITY UPDATE: Denial of Service due to an error handling
477+ synthesized records when using DNS64 with "break-dnssec yes;"
478+ + debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
479+ called.
480+ + CVE-2017-3136
481+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
482+ - SECURITY UPDATE: Denial of Service due to resolver terminating when
483+ processing a response packet containing a CNAME or DNAME
484+ + debian/patches/CVE-2017-3137.patch: don't expect a specific
485+ ordering of answer components; add testcases.
486+ + CVE-2017-3137
487+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3 with 3 patch files]
488+ - SECURITY UPDATE: Denial of Service when receiving a null command on
489+ the control channel
490+ + debian/patches/CVE-2017-3138.patch: don't throw an assert if no
491+ command token is given; add testcase.
492+ + CVE-2017-3138
493+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.3]
494+ - SECURITY UPDATE: TSIG authentication issues
495+ + debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
496+ lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
497+ + CVE-2017-3142
498+ + CVE-2017-3143
499+ + [Fixed in Debian 1:9.10.3.dfsg.P4-12.4]
500+ * d/p/CVE-2016-8864-regression-test.patch: tests for the regression
501+ introduced with the CVE-2016-8864.patch and fixed in
502+ CVE-2016-8864-regression.patch.
503+ * d/p/CVE-2016-8864-regression2-test.patch: tests for the second
504+ regression (RT #44318) introduced with the CVE-2016-8864.patch
505+ and fixed in CVE-2016-8864-regression2.patch.
506+ * d/control, d/rules: add json support for the statistics channels.
507+ (LP: #1669193)
508+
509+ -- Andreas Hasenack <andreas@canonical.com> Fri, 11 Aug 2017 17:12:09 -0300
510+
511+bind9 (1:9.10.3.dfsg.P4-12.5) unstable; urgency=medium
512+
513+ * Non-maintainer upload.
514+ * Change to fix CVE-2017-3142 and CVE-2017-3143 broke verification of TSIG
515+ signed TCP message sequences where not all the messages contain TSIG
516+ records. These may be used in AXFR and IXFR responses.
517+ (Closes: #868952)
518+
519+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 21 Jul 2017 22:28:32 +0200
520+
521+bind9 (1:9.10.3.dfsg.P4-12.4) unstable; urgency=high
522+
523+ * Non-maintainer upload.
524+
525+ [ Yves-Alexis Perez ]
526+ * debian/patches:
527+ - debian/patches/CVE-2017-3142+CVE-2017-3143 added, fix TSIG bypasses
528+ CVE-2017-3142: error in TSIG authentication can permit unauthorized zone
529+ transfers. An attacker may be able to circumvent TSIG authentication of
530+ AXFR and Notify requests.
531+ CVE-2017-3143: error in TSIG authentication can permit unauthorized
532+ dynamic updates. An attacker may be able to forge a valid TSIG or SIG(0)
533+ signature for a dynamic update.
534+ (Closes: #866564)
535+
536+ -- Salvatore Bonaccorso <carnil@debian.org> Sun, 16 Jul 2017 22:13:21 +0200
537+
538 bind9 (1:9.10.3.dfsg.P4-12.3+deb9u3) stretch; urgency=medium
539
540 [ Bernhard Schmidt ]
541@@ -487,6 +944,98 @@ bind9 (1:9.10.3.dfsg.P4-11) unstable; urgency=medium
542
543 -- Michael Gilbert <mgilbert@debian.org> Thu, 19 Jan 2017 04:03:28 +0000
544
545+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu7) artful; urgency=medium
546+
547+ * SECURITY UPDATE: TSIG authentication issues
548+ - debian/patches/CVE-2017-3042,3043.patch: fix TSIG logic in
549+ lib/dns/dnssec.c, lib/dns/message.c, lib/dns/tsig.c.
550+ - CVE-2017-3142
551+ - CVE-2017-3143
552+
553+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 03 Jul 2017 09:48:13 -0400
554+
555+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu6) artful; urgency=medium
556+
557+ * rules: Fix path to libsofthsm2.so. (LP: #1685780)
558+
559+ -- Timo Aaltonen <tjaalton@debian.org> Mon, 24 Apr 2017 15:01:30 +0300
560+
561+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu5) zesty-security; urgency=medium
562+
563+ * SECURITY UPDATE: Denial of Service due to an error handling
564+ synthesized records when using DNS64 with "break-dnssec yes;"
565+ - debian/patches/CVE-2017-3136.patch: reset noqname if query_dns64()
566+ called.
567+ - CVE-2017-3136
568+ * SECURITY UPDATE: Denial of Service due to resolver terminating when
569+ processing a response packet containing a CNAME or DNAME
570+ - debian/patches/CVE-2017-3137.patch: don't expect a specific
571+ ordering of answer components; add testcases.
572+ - CVE-2017-3137
573+ * SECURITY UPDATE: Denial of Service when receiving a null command on
574+ the control channel
575+ - debian/patches/CVE-2017-3138.patch: don't throw an assert if no
576+ command token is given; add testcase.
577+ - CVE-2017-3138
578+
579+ -- Steve Beattie <sbeattie@ubuntu.com> Wed, 12 Apr 2017 01:32:15 -0700
580+
581+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu4) zesty; urgency=medium
582+
583+ * SECURITY UPDATE: Combining dns64 and rpz can result in dereferencing
584+ a NULL pointer
585+ - debian/patches/CVE-2017-3135.patch: properly handle dns64 and rpz
586+ combination in bin/named/query.c, lib/dns/message.c,
587+ lib/dns/rdataset.c.
588+ - CVE-2017-3135
589+ * SECURITY UPDATE: regression in CVE-2016-8864
590+ - debian/patches/rt44318.patch: synthesised CNAME before matching DNAME
591+ was still being cached when it should have been in lib/dns/resolver.c,
592+ added tests to bin/tests/system/dname/ans3/ans.pl,
593+ bin/tests/system/dname/ns1/root.db, bin/tests/system/dname/tests.sh.
594+ - No CVE number
595+
596+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 15 Feb 2017 09:37:39 -0500
597+
598+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu3) zesty; urgency=medium
599+
600+ * SECURITY UPDATE: assertion failure via class mismatch
601+ - debian/patches/CVE-2016-9131.patch: properly handle certain TKEY
602+ records in lib/dns/resolver.c.
603+ - CVE-2016-9131
604+ * SECURITY UPDATE: assertion failure via inconsistent DNSSEC information
605+ - debian/patches/CVE-2016-9147.patch: fix logic when records are
606+ returned without the requested data in lib/dns/resolver.c.
607+ - CVE-2016-9147
608+ * SECURITY UPDATE: assertion failure via unusually-formed DS record
609+ - debian/patches/CVE-2016-9444.patch: handle missing RRSIGs in
610+ lib/dns/message.c, lib/dns/resolver.c.
611+ - CVE-2016-9444
612+ * SECURITY UPDATE: regression in CVE-2016-8864
613+ - debian/patches/rt43779.patch: properly handle CNAME -> DNAME in
614+ responses in lib/dns/resolver.c, added tests to
615+ bin/tests/system/dname/ns2/example.db,
616+ bin/tests/system/dname/tests.sh.
617+ - No CVE number
618+
619+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 25 Jan 2017 09:28:10 -0500
620+
621+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu2) zesty; urgency=medium
622+
623+ * Add RemainAfterExit to bind9-resolvconf unit configuration file
624+ (LP: #1536181).
625+
626+ -- Nishanth Aravamudan <nish.aravamudan@canonical.com> Tue, 15 Nov 2016 08:24:58 -0800
627+
628+bind9 (1:9.10.3.dfsg.P4-10.1ubuntu1) yakkety; urgency=medium
629+
630+ * SECURITY UPDATE: denial of service via assertion failure
631+ - debian/patches/CVE-2016-2776.patch: properly handle lengths in
632+ lib/dns/message.c.
633+ - CVE-2016-2776
634+
635+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 04 Oct 2016 14:31:17 -0400
636+
637 bind9 (1:9.10.3.dfsg.P4-10.1) unstable; urgency=medium
638
639 * Non-maintainer upload.
640diff --git a/debian/control b/debian/control
641index 73c2a17..3d7f03d 100644
642--- a/debian/control
643+++ b/debian/control
644@@ -1,7 +1,8 @@
645 Source: bind9
646 Section: net
647 Priority: optional
648-Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
649+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
650+XSBC-Original-Maintainer: Debian DNS Team <team+dns@tracker.debian.org>
651 Uploaders: LaMont Jones <lamont@debian.org>,
652 Michael Gilbert <mgilbert@debian.org>,
653 Robie Basak <robie.basak@canonical.com>,
654@@ -15,18 +16,14 @@ Build-Depends: bison,
655 dpkg-dev (>= 1.16.1~),
656 libcap2-dev [!kfreebsd-i386 !kfreebsd-amd64 !hurd-i386],
657 libdb-dev (>>4.6),
658- libfstrm-dev,
659 libgeoip-dev (>= 1.4.6.dfsg-5),
660 libidn2-dev,
661 libjson-c-dev,
662 libkrb5-dev,
663 libldap2-dev,
664- liblmdb-dev,
665- libprotobuf-c-dev,
666 libssl-dev,
667 libtool,
668 libxml2-dev,
669- protobuf-c-compiler,
670 python3,
671 python3-distutils,
672 python3-ply
673diff --git a/debian/dnsutils.install b/debian/dnsutils.install
674index 90e4fba..5e6b7d9 100644
675--- a/debian/dnsutils.install
676+++ b/debian/dnsutils.install
677@@ -1,12 +1,10 @@
678 usr/bin/delv
679 usr/bin/dig
680-usr/bin/dnstap-read
681 usr/bin/mdig
682 usr/bin/nslookup
683 usr/bin/nsupdate
684 usr/share/man/man1/delv.1
685 usr/share/man/man1/dig.1
686-usr/share/man/man1/dnstap-read.1
687 usr/share/man/man1/mdig.1
688 usr/share/man/man1/nslookup.1
689 usr/share/man/man1/nsupdate.1
690diff --git a/debian/libdns1104.symbols b/debian/libdns1104.symbols
691index d7c98d4..7b6020e 100644
692--- a/debian/libdns1104.symbols
693+++ b/debian/libdns1104.symbols
694@@ -358,21 +358,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER#
695 dns_dsdigest_format@Base 1:9.11.3+dfsg
696 dns_dsdigest_fromtext@Base 1:9.11.3+dfsg
697 dns_dsdigest_totext@Base 1:9.11.3+dfsg
698- dns_dt_attach@Base 1:9.11.4.P1
699- dns_dt_close@Base 1:9.11.4.P1
700- dns_dt_create@Base 1:9.11.4.P1
701- dns_dt_datatotext@Base 1:9.11.4.P1
702- dns_dt_detach@Base 1:9.11.4.P1
703- dns_dt_getframe@Base 1:9.11.4.P1
704- dns_dt_getstats@Base 1:9.11.4.P1
705- dns_dt_open@Base 1:9.11.4.P1
706- dns_dt_parse@Base 1:9.11.4.P1
707- dns_dt_reopen@Base 1:9.11.4.P1
708- dns_dt_send@Base 1:9.11.4.P1
709- dns_dt_setidentity@Base 1:9.11.4.P1
710- dns_dt_setversion@Base 1:9.11.4.P1
711- dns_dt_shutdown@Base 1:9.11.4.P1
712- dns_dtdata_free@Base 1:9.11.4.P1
713 dns_dumpctx_attach@Base 1:9.11.3+dfsg
714 dns_dumpctx_cancel@Base 1:9.11.3+dfsg
715 dns_dumpctx_db@Base 1:9.11.3+dfsg
716@@ -1443,24 +1428,6 @@ libdns-pkcs11.so.1104 libdns1104 #MINVER#
717 dns_zt_setviewcommit@Base 1:9.11.3+dfsg
718 dns_zt_setviewrevert@Base 1:9.11.3+dfsg
719 dns_zt_unmount@Base 1:9.11.3+dfsg
720- dnstap__dnstap__descriptor@Base 1:9.11.4.P1
721- dnstap__dnstap__free_unpacked@Base 1:9.11.4.P1
722- dnstap__dnstap__get_packed_size@Base 1:9.11.4.P1
723- dnstap__dnstap__init@Base 1:9.11.4.P1
724- dnstap__dnstap__pack@Base 1:9.11.4.P1
725- dnstap__dnstap__pack_to_buffer@Base 1:9.11.4.P1
726- dnstap__dnstap__type__descriptor@Base 1:9.11.4.P1
727- dnstap__dnstap__unpack@Base 1:9.11.4.P1
728- dnstap__message__descriptor@Base 1:9.11.4.P1
729- dnstap__message__free_unpacked@Base 1:9.11.4.P1
730- dnstap__message__get_packed_size@Base 1:9.11.4.P1
731- dnstap__message__init@Base 1:9.11.4.P1
732- dnstap__message__pack@Base 1:9.11.4.P1
733- dnstap__message__pack_to_buffer@Base 1:9.11.4.P1
734- dnstap__message__type__descriptor@Base 1:9.11.4.P1
735- dnstap__message__unpack@Base 1:9.11.4.P1
736- dnstap__socket_family__descriptor@Base 1:9.11.4.P1
737- dnstap__socket_protocol__descriptor@Base 1:9.11.4.P1
738 dst__entropy_getdata@Base 1:9.11.3+dfsg
739 dst__entropy_status@Base 1:9.11.3+dfsg
740 dst__gssapi_init@Base 1:9.11.3+dfsg
741@@ -1940,21 +1907,6 @@ libdns.so.1104 libdns1104 #MINVER#
742 dns_dsdigest_format@Base 1:9.11.3+dfsg
743 dns_dsdigest_fromtext@Base 1:9.11.3+dfsg
744 dns_dsdigest_totext@Base 1:9.11.3+dfsg
745- dns_dt_attach@Base 1:9.11.4.P1
746- dns_dt_close@Base 1:9.11.4.P1
747- dns_dt_create@Base 1:9.11.4.P1
748- dns_dt_datatotext@Base 1:9.11.4.P1
749- dns_dt_detach@Base 1:9.11.4.P1
750- dns_dt_getframe@Base 1:9.11.4.P1
751- dns_dt_getstats@Base 1:9.11.4.P1
752- dns_dt_open@Base 1:9.11.4.P1
753- dns_dt_parse@Base 1:9.11.4.P1
754- dns_dt_reopen@Base 1:9.11.4.P1
755- dns_dt_send@Base 1:9.11.4.P1
756- dns_dt_setidentity@Base 1:9.11.4.P1
757- dns_dt_setversion@Base 1:9.11.4.P1
758- dns_dt_shutdown@Base 1:9.11.4.P1
759- dns_dtdata_free@Base 1:9.11.4.P1
760 dns_dumpctx_attach@Base 1:9.11.3+dfsg
761 dns_dumpctx_cancel@Base 1:9.11.3+dfsg
762 dns_dumpctx_db@Base 1:9.11.3+dfsg
763@@ -3032,24 +2984,6 @@ libdns.so.1104 libdns1104 #MINVER#
764 dns_zt_setviewcommit@Base 1:9.11.3+dfsg
765 dns_zt_setviewrevert@Base 1:9.11.3+dfsg
766 dns_zt_unmount@Base 1:9.11.3+dfsg
767- dnstap__dnstap__descriptor@Base 1:9.11.4.P1
768- dnstap__dnstap__free_unpacked@Base 1:9.11.4.P1
769- dnstap__dnstap__get_packed_size@Base 1:9.11.4.P1
770- dnstap__dnstap__init@Base 1:9.11.4.P1
771- dnstap__dnstap__pack@Base 1:9.11.4.P1
772- dnstap__dnstap__pack_to_buffer@Base 1:9.11.4.P1
773- dnstap__dnstap__type__descriptor@Base 1:9.11.4.P1
774- dnstap__dnstap__unpack@Base 1:9.11.4.P1
775- dnstap__message__descriptor@Base 1:9.11.4.P1
776- dnstap__message__free_unpacked@Base 1:9.11.4.P1
777- dnstap__message__get_packed_size@Base 1:9.11.4.P1
778- dnstap__message__init@Base 1:9.11.4.P1
779- dnstap__message__pack@Base 1:9.11.4.P1
780- dnstap__message__pack_to_buffer@Base 1:9.11.4.P1
781- dnstap__message__type__descriptor@Base 1:9.11.4.P1
782- dnstap__message__unpack@Base 1:9.11.4.P1
783- dnstap__socket_family__descriptor@Base 1:9.11.4.P1
784- dnstap__socket_protocol__descriptor@Base 1:9.11.4.P1
785 dst__entropy_getdata@Base 1:9.11.3+dfsg
786 dst__entropy_status@Base 1:9.11.3+dfsg
787 dst__gssapi_init@Base 1:9.11.3+dfsg
788diff --git a/debian/patches/CVE-2019-6471.patch b/debian/patches/CVE-2019-6471.patch
789new file mode 100644
790index 0000000..43a176b
791--- /dev/null
792+++ b/debian/patches/CVE-2019-6471.patch
793@@ -0,0 +1,44 @@
794+Description: fix race condition
795+Origin: provided by ISC
796+
797+diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
798+index 408beda..3278db4 100644
799+--- a/lib/dns/dispatch.c
800++++ b/lib/dns/dispatch.c
801+@@ -134,7 +134,7 @@ struct dns_dispentry {
802+ isc_task_t *task;
803+ isc_taskaction_t action;
804+ void *arg;
805+- bool item_out;
806++ bool item_out;
807+ dispsocket_t *dispsocket;
808+ ISC_LIST(dns_dispatchevent_t) items;
809+ ISC_LINK(dns_dispentry_t) link;
810+@@ -3422,13 +3422,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) {
811+ disp = resp->disp;
812+ REQUIRE(VALID_DISPATCH(disp));
813+
814+- REQUIRE(resp->item_out == true);
815+- resp->item_out = false;
816+-
817+ ev = *sockevent;
818+ *sockevent = NULL;
819+
820+ LOCK(&disp->lock);
821++
822++ REQUIRE(resp->item_out == true);
823++ resp->item_out = false;
824++
825+ if (ev->buffer.base != NULL)
826+ free_buffer(disp, ev->buffer.base, ev->buffer.length);
827+ free_devent(disp, ev);
828+@@ -3573,6 +3574,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
829+ isc_task_send(disp->task[0], &disp->ctlevent);
830+ }
831+
832++/*
833++ * disp must be locked.
834++ */
835+ static void
836+ do_cancel(dns_dispatch_t *disp) {
837+ dns_dispatchevent_t *ev;
838diff --git a/debian/patches/enable-udp-in-host-command.diff b/debian/patches/enable-udp-in-host-command.diff
839new file mode 100644
840index 0000000..5444ae7
841--- /dev/null
842+++ b/debian/patches/enable-udp-in-host-command.diff
843@@ -0,0 +1,26 @@
844+Description: Fix parsing of host(1)'s -U command line option
845+Author: Andreas Hasenack <andreas@canonical.com>
846+Bug: https://gitlab.isc.org/isc-projects/bind9/issues/769
847+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1804648
848+Applied-Upstream: https://gitlab.isc.org/isc-projects/bind9/commit/5e2cd91321cdda1707411c4e268d364f03f63935
849+Last-Update: 2018-12-06
850+---
851+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
852+--- a/bin/dig/host.c
853++++ b/bin/dig/host.c
854+@@ -158,6 +158,7 @@
855+ " -s a SERVFAIL response should stop query\n"
856+ " -t specifies the query type\n"
857+ " -T enables TCP/IP mode\n"
858++" -U enables UDP mode\n"
859+ " -v enables verbose output\n"
860+ " -V print version number and exit\n"
861+ " -w specifies to wait forever for a reply\n"
862+@@ -657,6 +658,7 @@
863+ case 'N': break;
864+ case 'R': break;
865+ case 'T': break;
866++ case 'U': break;
867+ case 'W': break;
868+ default:
869+ show_usage();
870diff --git a/debian/patches/fix-shutdown-race.diff b/debian/patches/fix-shutdown-race.diff
871new file mode 100644
872index 0000000..f10f51f
873--- /dev/null
874+++ b/debian/patches/fix-shutdown-race.diff
875@@ -0,0 +1,41 @@
876+From f2ca287330110993609fa0443d3bdb17629bd979 Mon Sep 17 00:00:00 2001
877+From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
878+Date: Tue, 13 Nov 2018 13:50:47 +0100
879+Subject: [PATCH 1/2] Fix a shutdown race in bin/dig/dighost.c
880+
881+If a tool using the routines defined in bin/dig/dighost.c is sent an
882+interruption signal around the time a connection timeout is scheduled to
883+fire, connect_timeout() may be executed after destroy_libs() detaches
884+from the global task (setting 'global_task' to NULL), which results in a
885+crash upon a UDP retry due to bringup_timer() attempting to create a
886+timer with 'task' set to NULL. Fix by preventing connect_timeout() from
887+attempting a retry when shutdown is in progress.
888+
889+(cherry picked from commit 462175659674a10c0d39c7c328f1a5324ce2e38b)
890+
891+Origin: https://gitlab.isc.org/isc-projects/bind9/merge_requests/1040/diffs
892+Bug: https://gitlab.isc.org/isc-projects/bind9/issues/599
893+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1797926
894+Last-Update: 2018-12-06
895+
896+---
897+ bin/dig/dighost.c | 5 +++++
898+ 1 file changed, 5 insertions(+)
899+diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c
900+index 39abb9d0fd..17e0328228 100644
901+--- a/bin/dig/dighost.c
902++++ b/bin/dig/dighost.c
903+@@ -3240,6 +3240,11 @@ connect_timeout(isc_task_t *task, isc_event_t *event) {
904+
905+ INSIST(!free_now);
906+
907++ if (cancel_now) {
908++ UNLOCK_LOOKUP;
909++ return;
910++ }
911++
912+ if ((query != NULL) && (query->lookup->current_query != NULL) &&
913+ ISC_LINK_LINKED(query->lookup->current_query, link) &&
914+ (ISC_LIST_NEXT(query->lookup->current_query, link) != NULL)) {
915+--
916+2.18.1
917diff --git a/debian/patches/series b/debian/patches/series
918index b8cde78..bd7121f 100644
919--- a/debian/patches/series
920+++ b/debian/patches/series
921@@ -12,3 +12,6 @@ keymgr-dont-immediately-delete.diff
922 0012-CVE-2018-5743-Limiting-simultaneous-TCP-clients-is-i.patch
923 0013-Replace-atomic-operations-in-bin-named-client.c-with.patch
924 0014-Disable-broken-Ed448-support.patch
925+enable-udp-in-host-command.diff
926+fix-shutdown-race.diff
927+CVE-2019-6471.patch
928diff --git a/debian/rules b/debian/rules
929index c8d745c..717ecb9 100755
930--- a/debian/rules
931+++ b/debian/rules
932@@ -91,7 +91,7 @@ override_dh_auto_configure:
933 --with-gssapi=/usr \
934 --with-libidn2 \
935 --with-libjson=/usr \
936- --with-lmdb=/usr \
937+ --without-lmdb \
938 --with-gnu-ld \
939 --with-geoip=/usr \
940 --with-atf=no \
941@@ -101,7 +101,6 @@ override_dh_auto_configure:
942 --enable-native-pkcs11 \
943 --with-pkcs11=\$${prefix}/lib/softhsm/libsofthsm2.so \
944 --with-randomdev=/dev/urandom \
945- --enable-dnstap \
946 $(EXTRA_FEATURES)
947 dh_auto_configure -B build-udeb -- \
948 --sysconfdir=/etc/bind \
949@@ -126,8 +125,6 @@ override_dh_auto_configure:
950 # no need to build these targets here
951 sed -i 's/dnssec-pkcs11//;s/named-pkcs11//' build-udeb/bin/Makefile
952 sed -i 's/dns-pkcs11//;s/isc-pkcs11//' build-udeb/lib/Makefile
953- cp lib/dns/dnstap.proto build/lib/dns
954- cp lib/dns-pkcs11/dnstap.proto build/lib/dns-pkcs11
955
956 override_dh_auto_build:
957 dh_auto_build -B build
958diff --git a/debian/tests/simpletest b/debian/tests/simpletest
959index 468a7c5..34b0b25 100755
960--- a/debian/tests/simpletest
961+++ b/debian/tests/simpletest
962@@ -10,10 +10,6 @@ setup() {
963 run() {
964 # Make a query against a local zone
965 dig -x 127.0.0.1 @127.0.0.1
966-
967- # Make a query against an external nameserver and check for DNSSEC validation
968- echo "Checking for DNSSEC validation status of internetsociety.org"
969- dig -t a internetsociety.org @127.0.0.1 | egrep 'flags:.+ad; QUERY'
970 }
971
972 teardown() {

Subscribers

People subscribed via source and target branches